[Samba] Roaming Profiles GPO

Kees van Vloten keesvanvloten at gmail.com
Mon Dec 11 19:24:54 UTC 2023 

On 11-12-2023 20:20, Rowland Penny via samba wrote:
> On Mon, 11 Dec 2023 20:03:12 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 11.12.2023 19:48, Rowland Penny via samba wrote:
>>> On Mon, 11 Dec 2023 19:25:23 +0100
>>> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>>>
>>>>    Hi Rowland,
>>>>
>>>> if I do it as you recommend,
>>>>
>>>> * You can alternatively set other groups, to enable the group
>>>> members to store their user profile on the share. When using
>>>> different groups, apply the permissions as displayed for Domain
>>>> Users in the previous example.
>>>>
>>>> then it sort-of works: YES, a user that is not in the "Roaming
>>>> Profile Users" group gets not created a roaming user profile on
>>>> the file server, which is good, but he gets, on every login on
>>>> Windows, the warning message from the "User Profile Service", that
>>>> his/her profile cannot be synced with the server.
>>>>
>>>> To me this makes 100% sense, because the GPO is applied to
>>>> "Authenticated Users", but if the user in question is not member of
>>>> the "Roaming User Profiles" group, he/she cannot access the share
>>>> on the file server.
>>>>
>>> I think using 'Authenticated Users' is the problem.
>>>   From my understanding, this is a group that contains any user that
>>> has authenticated, so the GPO is running for ALL users.
>>> However, the actual profile isn't created unless the user is a
>>> member of the group you created.
>>>     
>>> Rowland
>>>
>> Hi Tobias,
>>
>> I had a similar problem when setting up redirected folders.
>>
>> Authenticated users includes both users and domain computers.
> That makes sense, when you consider that a computer in AD is just a
> user with an extra objectclass.
>
>> So I
>> created a group "Redir users" and then applied "Security filtering"
>> only to "Domain computers" and "Redir users". Don't forget to run
>> samba-tool ntacl sysvolcheck and then samba-tool ntacl sysvolreset if
>> you get any errors. As I mentioned, gpupdate /force under Windows
>> doesn't work. The last thing is to reboot the Windows machines. Just
>> logoff and logon is not sufficient.

Security filtering should be just the group(s) to which the gpo applies.

Delegation should contain "Authenticated Users" and "Domain Computers" 
(and all the groups Windows has there by default).

- Kees.

> I think you are saying, use another group instead of 'Authenticated
> Users'.
>
> Rowland
>
>
>

More information about the samba mailing list